The threat actors impersonate lawyers who are sending invoices for overdue payment of services supposedly provided to the recipient firm a year ago.

This approach creates a solid basis for the BEC attack, as recipients may be intimidated when receiving emails from large law firms like the ones impersonated in the scams.

Impersonating law firms

Analysts at Abnormal Security, who first discovered Crimson Kingsnake activity in March 2022, report having identified 92 domains linked to the threat actor, all similar to genuine law firm sites.

This typosquatting approach enables the BEC actors to send out emails to victims via an address that appears authentic at first glance.

The emails contain the logos and letterheads of the impersonated entities and are crafted professionally, featuring punctual writing.

Fabricated invoices and details sent to targets (Abnormal Security)

 

The law firms impersonated by Crimson Kingsnake include:

• Allen & Overy
• Clifford Chance
• Deloitte
• Dentons
• Eversheds Sutherland
• Herbert Smith Freehills
• Hogan Lovells
• Kirkland & Ellis
• Lindsay Hart
• Manix Law Firm
• Monlex International
• Morrison Foerster
• Simmons & Simmons
• Sullivan & Cromwell

These are major multinational firms with a global footprint, so the threat actors assume the target will recognize them, which adds legitimacy to the email.

Crimson Kingsnake attacks

The phishing emails don't target specific industries or countries but are distributed somewhat randomly in what Abnormal Security calls "blind BEC attacks."

If any recipients fall for the bait and request more information about the invoice, Crimson Kingsnake responds by providing a fake description of the provided service.

In some cases where the BEC actors meet resistance, they add a false "reply" from an executive in the targeted company to approve the transaction.

"When the group meets resistance from a targeted employee, Crimson Kingsnake occasionally adapts their tactics to impersonate a second persona: an executive at the targeted company," explains the report by Abnormal Security.

"When a Crimson Kingsnake actor is questioned about the purpose of an invoice payment, we've observed instances where the attacker sends a new email with a display name mimicking a company executive."

"In this email, the actor clarifies the purpose of the invoice, often referencing something that supposedly happened several months before, and “authorizes” the employee to proceed with the payment."

Crimson Kingsnake impersonating an executive on the target firm (Abnormal Security)

 

While the email originates from outside the company, the executive's email address can still trick the recipient, especially if there are no mailbox filters and warning systems to alert the targeted employee.

BEC attacks rising

BEC attacks are only a tiny part of all the daily phishing emails circulating in global inboxes, but even in these low volumes, it’s still a multi-billion problem.

According to the FBI, from 2016 until 2019, reported cases of BEC-induced losses amounted to $43 billion, while in 2021 alone, the IC3 recorded $2.4 billion lost by 19,954 entities to BEC scams.

Abnormal Security’s H1 2022 Email Threat Report also reports a rise in BEC attacks by 84% in H2 ‘21, measuring an average of 0.82 emails per 1,000 inboxes.

According to the same report, organizations with over 50,000 employees have a 95% chance of receiving a BEC email weekly.

In a new campaign discovered by BlackBerry, the RomCom threat actors were found creating websites that clone official download portals for SolarWinds Network Performance Monitor (NPM), KeePass password manager, and PDF Reader Pro, essentially disguising the malware as legitimate programs.

In addition, Unit 42 discovered that the threat actors created a site that impersonates the Veeam Backup and Recovery software.

Besides copying the HTML code to reproduce the genuine sites, the hackers also registered typo-squat 'lookalike' domains to further add authenticity to the malicious site.

BlackBerry previously detected the RomCom malware used in attacks against military institutions in Ukraine.

Impersonating legitimate software

The website that impersonates SolarWinds NPM delivers a trojanized version of the free trial and even links to an actual SolarWinds registration form that, if filled out by the victim, leads to being contacted by a real customer support agent.

The spoofed Solarwinds website (BlackBerry)

 

The downloaded app, though, has been modified to include a malicious DLL that downloads and runs a copy of the RomCom RAT from the "C:\Users\user\AppData\Local\Temp\winver.dll" folder.

Contents of downloaded Solarwinds ZIP (BlackBerry)

 

Interestingly, the downloaded executable ("Solarwinds-Orion-NPM-Eval.exe") is signed with the same digital certificate the RAT’s operators used in the Ukraine campaign, which shows the owner as "Wechapaisch Consulting & Construction Limited."

In the case of the cloned site for KeePass, which BlackBerry only discovered on November 1, 2022, the threat actors are distributing an archive named "KeePass-2.52.zip."

Fake KeePass website pushing RomCom RAT (BlackBerry)

 

The ZIP file contains several files, including the "hlpr.dat," which is the RomCom RAT dropper, and "setup.exe," which launches the dropper. Setup.exe is what the user is expected to execute manually after downloading the archive.

Contents of the downloaded ZIP file (BlackBerry)

 

BlackBerry’s researchers also located a second spoofed KeePass site and a PDF Reader Pro site, both using the Ukrainian language.

Another fake KeePass site targeting Ukrainians (BlackBerry)

 

This indicates that while RomCom is still targeting Ukraine, they have also shifted targets to include English-speaking users.

It is unclear at this time how the threat actors are luring potential victims to the sites, but it could be through phishing, SEO poisoning, or forum/social media posts.

No attribution

In August 2022, Palo Alto Networks’ Unit 42 associated the RomCom RAT with an affiliate of the Cuba Ransomware named 'Tropical Scorpius,' as this was the first actor to employ it.

RomCom RAT was a then-unknown malware supporting ICMP-based communications and offering operators ten commands for file actions, process spawning and spoofing, data exfiltration, and launching a reverse shell.

BlackBerry’s previous report on RomCom RAT argued there was no concrete evidence pointing the operation to any known threat actors.

The new report mentions Cuba Ransomware and Industrial Spy as potentially connected to this operation; however, the motivation behind the RomCom operators still remains unclear.

Source

Cybersecurity company Proofpoint reported on Wednesday that a threat actor it tracks as TA569 appears to be behind the attack. The hackers have targeted an unnamed media company that serves many news outlets in the US.

The service provider delivers content to its partners via a JavaScript file. The attacker modified the codebase of that script to push a piece of malware known as SocGholish to the affected news websites’ visitors.

More than 250 news sites are impacted, including in Boston, New York, Chicago, Washington DC, Miami, Palm Beach and Cincinnati. The actual number of victims could be higher.

“TA569 historically removed and reinstated these malicious JS injects on a rotating basis. Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn't be considered a false positive,” Proofpoint explained in a Twitter thread.

SocGholish, also known as FakeUpdates because it’s often delivered as fake browser updates, has been around since at least 2017.

Web security firm Sucuri reported in August that it had seen 25,000 sites infected with the malware since the beginning of January and 61,000 infected sites in 2021.

SocGholish is a JavaScript malware framework and it has been linked by some to the notorious Russian cybercrime group named Evil Corp (ala Indrik Spider and TA505). However, Proofpoint does not believe TA569, which has been around since at least the end of 2016, is actually Evil Corp.

In a previous report, Proofpoint said it had seen SocGholish being leveraged for ransomware distribution.

Source

These statistics come from a report by cybersecurity firm Lookout, based on an analysis of 200 million devices and 175 million applications from 2021 to H2 2022.

The report additionally warns of a rise in all threat metrics, including attempted phishing attacks against government employees, reliance on unmanaged mobile devices, and liability points in mission-critical networks.

Outdated mobile OS

Outdated versions of mobile operating systems allow attackers to exploit vulnerabilities that can be used to breach targets, run code on the device, plant spyware, steal credentials, and more.

For example, last week, Apple released iOS 16.1, fixing an actively exploited zero-day memory corruption flaw used by hackers against iPhone users to achieve arbitrary code execution with kernel privileges.

Lookout reports that ten months after iOS 15 had been made available to users, 5% of federal government employees and 30% of state and local government devices were running older versions of the operating system.

The situation is much worse for Android, as ten months after the release of version 12, approximately 30% of federal devices and almost 50% of state and local government devices still needed to upgrade to the latest versions, thus remaining vulnerable to bugs that can be exploited in attacks.

It should be noted that Android 13 is the latest version of the operating system, but it was released after the first half of 2022, from which this data was collected.

Notably, 10.7% of the federal government and another 17.7% of state and local government devices were running Android 8 and 9, which reached the end of support in November 2021 and March 2022, respectively.

These two OS versions carry over two thousand known vulnerabilities that Google will not fix, and the list only gets longer each month.

Mobile attacks rising

According to Lookout, the most common attack against mobile users is malware delivery, accounting for about 75%, while credential harvesting represents most of the remaining percentage.

While commodity malware usually infects Android mobile devices using fake apps, advanced spyware developers are known to use zero-day vulnerabilities in targeted attacks against journalists, politicians, and activists.

The analysts say when comparing year-over-year stats, malware distribution is gradually dropping, and credential theft attacks are increasing.

In 2022, 1 out of 11 government employees monitored by Lookout were targeted by a phishing attack, with both managed and unmanaged devices having roughly the same targeting rate.

Of those who clicked on the malicious links and were warned about their error, 57% did not repeat their mistake, 19% clicked again, and 24% clicked over three times.

To aid in securing devices, the U.S. Cybersecurity & Infrastructure Agency (CISA) has created a 'Known Exploited Vulnerabilities Catalog' that contains a list of vulnerabilities actively exploited in attacks and a deadline by which federal agencies must patch them.

However, while CISA advises state, local, and tribal governments to follow the same guidelines, they are not required to do so under this directive.

Furthermore, the report comes mere days before the U.S. midterm elections, with Trellix and the FBI reporting that election workers and election officials are being targeted with phishing campaigns to install malware or steal credentials.

Emotet is a malware infection distributed through phishing campaigns containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL will be downloaded and loaded into memory.

Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.

While Emotet was considered the most distributed malware in the past, it suddenly stopped spamming on June 13th, 2022. 

Emotet returns

Researchers from the Emotet research group Cryptolaemus reported that at approximately 4:00 AM ET on November 2nd, the Emotet operation suddenly came alive again, spamming email addresses worldwide.

Proofpoint threat researcher, and Cryptolaemus member, Tommy Madjar, told BleepingComputer that today's Emotet email campaigns are using stolen email reply chains to distribute malicious Excel attachments.

From samples uploaded to VirusTotal, BleepingComputer has seen attachments targeted at users worldwide under various languages and file names, pretending to be invoices, scans, electronic forms, and other lures.

A partial listing of example file names can be seen below:

Scan_20220211_77219.xls
fattura novembre 2022.xls
BFE-011122 XNIZ-021122.xls
FH-1612 report.xls
2022-11-02_1739.xls
Fattura 2022 - IT 00225.xls
RHU-011122 OOON-021122.xls
Electronic form.xls
Rechnungs-Details.xls
Gmail_2022-02-11_1621.xls
gescanntes-Dokument 2022.02.11_1028.xls
Rechnungs-Details.xls
DETALLES-0211.xls
Dokumente-vom-Notar 02.11.2022.xls
INVOICE0000004678.xls
SCAN594_00088.xls
Copia Fattura.xls
Form.xls
Form - 02 Nov, 2022.xls
Nuovo documento 2022.11.02.xls
Invoice Copies 2022-11-02_1008, USA.xls
payments 2022-11-02_1011, USA.xls

Today's Emotet campaign also introduces a new Excel attachment template that contains instructions to bypass Microsoft's Protected View.

When a file is downloaded from the Internet, including as an email attachment, Microsoft will add a special Mark-of-the-Web (MoTW) flag to the file.

When a user opens a Microsoft Office document containing a MoTW flag, Microsoft Office will open it in Protected View, preventing macros that install malware from being executed.

However, in the new Emotet Excel attachment, you can see that the threat actors are instructing users to copy the file into the trusted 'Templates' folders, as doing this will bypass Microsoft Office's Protected View, even for files containing a MoTW flag.

"RELAUNCH REQUIRED In accordance with the requirements of your security policy, to display the contents of the document, you need to copy the file to the following folder and run it again:

for Microsoft Office 2013 x32 and earlier - C:\Program Files\Microsoft Office (x86)\Templates 
for Microsoft Office 2013 x64 and earlier - C:\Program Files\Microsoft Office\Templates
for Microsoft Office 2016 x32 and later - C:\Program Files (x86)\Microsoft Office\root\Templates 
for Microsoft Office 2016 x64 and later - C:\Program Files\Microsoft Office\root\Templates"

While Windows will warn users that copying a file into the 'Templates' folder requires 'administrators' permissions, the fact that a user is attempting to copy the file indicates that there is a good chance they will also press the 'Continue' button.

When the attachment is launched from the 'Templates' folder, it will simply open and immediately execute macros that download the Emotet malware.

The Emotet malware is downloaded as a DLL into multiple random-named folders under %UserProfile%\AppData\Local, as shown below.

The macros will then launch the DLL using the legitimate regsvr32.exe command.

Once downloaded, the malware will quietly run in the background while connecting to the Command and Control server for further instructions or to install additional payloads.

Madjar told BleepingComputer that today's Emotet infections have not begun dropping additional malware payloads on infected devices.

However, in the past, Emotet was known for installing the TrickBot malware and, more recently, Cobalt Strike beacons.

These Cobalt Strike beacons are then used for initial access by ransomware gangs who spread laterally on the network, steal data, and ultimately encrypt devices.

Emotet infections were used in the past to give Ryuk and Conti ransomware gangs initial access to corporate networks.

Since Conti's shutdown in June, Emotet was seen partnering with the BlackCat and Quantum ransomware operations for initial access on already infected devices.

Source

This ad would appear to be legitimate as it'd state 'GIMP.org' as the destination domain. But clicking on it drove visitors to a lookalike phishing website that provided them with a 700 MB executable disguised as GIMP which, in reality, was malware.

'GIMP' malvertising abuses Google ads

Up until last week, googling for 'GIMP' would bring up a Google ad that'd appear to take you to the open source graphics editor's official website 'GIMP.org.'

But instead this malvertising campaign drove visitors to a lookalike, phishing page delivering a malicious 'Setup.exe' that appeared to be the GIMP utility for Windows.

Reddit user ZachIngram04 earlier shared the development stating that the ad previously took users to a Dropbox URL to serve malware, but was soon "replaced with an even more malicious one" which employed a fake replica website 'gilimp.org' to serve malware.

BleepingCompuer observed another domain 'gimp.monster' related to this campaign.

To pass off the trojanized executable as GIMP in a believable manner to the user, the threat actor artificially inflated the malware, that is otherwise under 5 MB in size, to 700 MB by a simple technique known as binary padding.

Google ads 'display URL' vs. 'landing URL'

All of this has still left users puzzled as to why the Google ad showed 'GIMP.org' as the destination domain in the first place, when the ad actually took users to the fake 'gilimp.org' site.

Redditor RawPacket surmised if this was result of the threat actor creating a Google ad using IDN homograph technique that'd make Cyrillic 'gіmp.org', which is reality is http://xn--gmp-jhd.org/, appear akin to the Latin 'gimp.org.'

But, given the use of phishing domains 'gilimp.org' and 'gimp.monster' used in this campaign, the scenario seems unlikely.

Google lets publishers create ads with two different URLs: a display URL to be shown in the ad, and a landing URL where the user will actually be taken to.

The two need not be the same, but there are strict policies around what is permitted when it comes to display URLs, and these need to use the same domain as the landing URL.

"Advertisers use a landing page URL to send people to a specific area of their website," explains Google.

"Your ads' URLs should give customers a clear idea of what page they'll arrive at when they click on an ad. For this reason, Google's policy is that both display and landing page URLs should be within the same website. This means that the display URL in your ad needs to match the domain that visitors land on when they click on your ad."

It still isn't clear if this instance was a slip up caused by a potential bug in Google Ad Manager that allowed malvertising. BleepingComputer has approached Google for comment.

Part of ongoing VIDAR infostealer campaigns

BleepingComputer was able to obtain a copy of the malicious executable and we can confirm it is an infostealing trojan called VIDAR.

VIDAR infostealers work by connecting to their command-and-control (C2) server and awaiting further instructions.

But, before accomplishing that, the malicious 'Setup.exe' fetches a 'Htcnwiij.bmp' file from a Russia-based URL:

The file above appears to be a Bitmap image in a web browser but is instead a DLL packed as hex instructions for the malware to execute.

Further, BleepingComputer observed 'Setup.exe' contacting its C2 server (95.216.181.10), to retrieve C2 configuration, before downloading stage 2 payload.

Stage 2 of VIDAR typically comprises downloading a ZIP archive with additional DLL dependencies and modules that'd aid in its credential theft and info-stealing activities:

The data that Vidar variants attempt to steal from infected machines includes the following:

• All popular browser information such as passwords, cookies, history, and credit cards details.
• Cryptocurrency wallets.
• Files according to regex strings given by the TA.
• Telegram credentials for Windows versions.
• File transfer application information (WINSCP, FTP, FileZilla)
• Mailing application information. 

Security researcher and bug bounty hunter 0x0Luke further analyzed the malvertising campaign targeting GIMP users and described what all 'Setup.exe' was stealing.

Previously, domain typosquatting campaigns employing VIDAR have targeted users of at least 27 software products including Notepad++, Microsoft Visual Studio, and Brave browser.

In another instance, threat actors employing VIDAR were caught abusing Mastodon, an open source social networking platform to silently retrieve the malware's C2 configuration.

Source

They focus on Persian-speaking practitioners of the Baháʼí Faith, a religion developed in Iran and parts of the Middle East.

The attackers are promoting the malicious VPN app as a simple way to circumvent censorship of religious materials in certain regions.

To spread it, they use social media accounts to redirect potential victims to a Telegram channel that would provide them with links to download and install the booby-trapped VPN.

"To lure victims into downloading spyware implants, the SandStrike adversaries set up Facebook and Instagram accounts with more than 1,000 followers and designed attractive religious-themed materials, setting up an effective trap for adherents of this belief," Kaspersky said.

"Most of these social media accounts contain a link to a Telegram channel also created by the attacker."

While the app is fully functional and even uses its own VPN infrastructure, the VPN client also installs the SandStrike spyware, which scours their devices for sensitive data and exfiltrates it to its operators' servers.

This malware will steal various types of information like call logs and contact lists and will also monitor compromised Android devices to help its creators keep track of the victims' activity.

Middle East malicious activity recap

Security researchers who spotted the malware in the wild are yet to pin its development on a specific threat group.

On Tuesday, Kaspersky also published its APT trends report for Q3 2022, highlighting more interesting discoveries linked to malicious activity in the Middle East.

The company highlights a new IIS backdoor known as FramedGolf deployed in attacks targeting Exchange servers not patched against ProxyLogon-type security flaws.

"The malware has been used to compromise at least a dozen organizations, starting in April 2021 at the latest, with most still compromised in late June 2022," Kaspersky revealed.

In September, the company also shared analysis on a newly found malware platform dubbed Metatron used against telecom companies, internet service providers, and universities across Africa and the Middle East.

Kaspersky says Metatron "is a modular implant boot-strapped through a Microsoft Console Debugger script" that comes with "multiple transport modes and offers forwarding and port knocking features."

Source

Some of these sites offer victims to download fake security tools or updates, to trick users into installing the malicious files manually.

At the time of publishing, the apps are still present on Google Play under a developer account called Mobile apps Group, and have a total install count of more than one million.

According to a report from Malwarebytes, the same developer was exposed twice in the past for distributing adware on Google Play but it was allowed to continue publishing apps after submitting cleaned versions.

The four malicious apps uncovered this time are:

• Bluetooth Auto Connect, with over 1,000,000 installs
• Bluetooth App Sender, with over 50,000 installs
• Driver: Bluetooth, Wi-Fi, USB, with over 10,000 installs
• Mobile transfer: smart switch, with over 1,000 installs

The apps don’t have favorable reviews on Google Play and many users left comments about intrusive ads that open automatically in new browser tabs.

Interestingly, the developer responds to some of these comments, offering to help resolve the ad problems.

BleepingComputer has contacted ‘Mobile apps Group’ to request a comment about the Malwarebytes researchers' findings but we have not heard back yet.

72 hours of delay

By monitoring the activity of the software from Mobile apps Group, Malwarebytes found that the apps have a 72-hour delay before showing the first ad or opening a phishing link in the web browser, and then continue to launch more tabs with similar content every two hours.

The researchers note that new browser tabs are opened even when the device is locked, so when users return to their phones after a while, they find multiple phishing and ad sites opened.

Analysis of the Manifest file revealed that the developer tried to obfuscate logs for the actions performed by using nonsense log descriptor such as "sdfsdf."

While this method works against automated code scanners, it helped the researchers spot the actions easier.

To keep adware away from your device, avoid installing apps from unofficial Android stores. Reading user reviews, monitoring battery usage, and network data activity, also helps determine if the device is running suspicious software. Keeping Google's Play Protect feature active is also a good way to keep the device safer.

If you have one of the above apps present on your Android device, it is recommended to remove them and run a full system scan using Play Protect or a mobile antivirus suite from a reputable vendor.

BleepingComputer has also contacted Google for a comment about the developer's history and their current apps, and we will update this story as soon as we hear back.

Source

The company discovered the attackers breached the account on October 14 when GitHub notified it of suspicious activity that started one day before the alert was sent.

"To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers," Dropbox revealed on Tuesday.

"The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors (for context, Dropbox has more than 700 million registered users)."

The successful breach resulted from a phishing attack that targeted multiple Dropbox employees using emails impersonating the CircleCI continuous integration and delivery platform and redirecting them to a phishing landing page where they were asked to enter their GitHub username and password.

On the same phishing page, the employees were also asked to "use their hardware authentication key to pass a One Time Password (OTP)."

130 code repositories were stolen during the breach

After stealing the Dropboxers' credentials, the attackers gained access to one of Dropbox's GitHub organizations and stole 130 of its code repositories.

"These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team," the company added.

"Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled."

Dropbox added that the attackers never had access to customers' accounts, passwords, or payment information, and its core apps and infrastructure were not affected as a result of this breach.

In response to the incident, Dropbox is working on securing its entire environment using WebAuthn and hardware tokens or biometric factors.

In September, other GitHub users were also targeted in a similar attack impersonating the CircleCI platform and asking them to sign into their GitHub accounts to accept user terms and privacy policy updates to keep using the service.

"While GitHub itself was not affected, the campaign has impacted many victim organizations," GitHub said in an advisory at the time.

GitHub said it detected content exfiltration from private repositories almost immediately after the compromise, with the threat actors using VPN or proxy services to make tracing them more difficult.

Source

The vulnerabilities (CVE-2022-3602 and CVE-2022-3786) affect OpenSSL version 3.0.0 and later and have been addressed in OpenSSL 3.0.7.

CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that could trigger crashes or lead to remote code execution (RCE), while CVE-2022-3786 can be exploited by attackers via malicious email addresses to trigger a denial of service state via a buffer overflow.

"We still consider these issues to be serious vulnerabilities and affected users are encouraged to upgrade as soon as possible," the OpenSSL team said.

"We are not aware of any working exploit that could lead to remote code execution, and we have no evidence of these issues being exploited as of the time of release of this post."

Per Open SSL's policy, organizations and IT admins have been warned since October 25 to search their environments for vulnerable instances and prepare them for patching when OpenSSL 3.0.7 is released.

"If you know in advance where you are using OpenSSL 3.0+ and how you are using it then when the advisory comes you'll be able to quickly determine if or how you're affected and what you need to patch," Cox said.

OpenSSL also provides mitigation measures requiring admins operating TLS servers to disable TLS client authentication until the patches are applied.

Much ado about nothing?

While the initial warning prompted admins to take immediate action to mitigate the flaw, the actual impact is much more limited given that CVE-2022-3602 (initially rated as critical) has been downgraded to high severity and it only impacts OpenSSL 3.0 and later instances.

These recently released versions are also yet to be heavily deployed to software used in production compared to earlier versions of the OpenSSL library.

Additionally, even though some security experts and vendors have equated the discovery of this vulnerability with the Log4Shell flaw in the Apache Log4J logging library, only roughly 7,000 Internet-exposed systems running vulnerable OpenSSL versions out of a total of more than 1,793,000 unique hosts spotted by Censys online — Shodan lists around 16,000 publicly accessible OpenSSL instances.

Cloud security firm Wiz.io also said that only 1.5% of all OpenSSL instances were found to be impacted by this security flaw after analyzing deployments across major cloud environments (i.e., AWS, GCP, Azure, OCI, and Alibaba Cloud).

The Netherlands' National Cyber Security Centre is maintaining a list of software products confirmed to be (un)affected by this OpenSSL vulnerability.

The latest OpenSSL versions are included in the most recent releases of multiple popular Linux distributions, with Redhat Enterprise Linux 9, Ubuntu 22.04+, CentOS Stream9, Kali 2022.3, Debian 12, and Fedora 36 tagged as vulnerable by cybersecurity company Akamai.

Akamai has also shared OSQuery and YARA rules to help security teams find vulnerable assets and queue them for patching once the security update is released.

OpenSSL fixes two high severity vulnerabilities, what you need to know

The Azov Ransomware falsely claims to have been created by a well-known security researcher named Hasherazade and lists other researchers, myself, and BleepingComputer, as involved in the operation.

The ransom note, named RESTORE_FILES.txt, says that devices are encrypted in protest of the seizure of Crimea and because Western countries are not doing enough to help Ukraine in their war against Russia.

'Azov Ransomware' data wiper note to victims - Source: BleepingComputer

 

The ransom note tells victims to contact me, BleepingComputer, Hasherazade, MalwareHunterTeam, Michael Gillespie, or Vitali Kremez on Twitter to recover files, falsely implying that we are part of the ransomware operation.

To be clear, those listed in the ransom note are not associated with this ransomware and are being framed by the threat actor. Therefore, we, unfortunately, do not have the decryption keys and cannot help.

Furthermore, as there is no way to contact the threat actors to pay a ransom, this malware should be treated as a destructive data wiper rather than ransomware.

Unfortunately, victims have already started contacting BleepingComputer for help recovering files, and as much as we would like to help, there is no known way of helping at this time.

While the threat actors claim they are doing this in support of Ukraine, BleepingComputer knows of a Ukrainian organization affected by this data wiper.

The wiper takes its name from the Ukrainian Azov Regiment, a controversial military force that allegedly associated with neo-Nazi ideology in the past.

This is not the first time threat actors attempted to frame security researchers for their malware.

In 2016, the Apocalypse ransomware operation renamed one of its variants to Fabiansomware after Fabian Wosar. In 2020, one of the Maze ransomware developers released an MBR Locker, claiming it was made by Vital Kremez.

What we know about the Azov wiper

In a new campaign started over the past two days, a threat actor appears to have purchased 'installs' through the SmokeLoader malware botnet to deliver the new destructive Azov wiper.

SmokeLoader is a malware botnet that other threat actors can rent or buy 'installs,' to distribute their own malware on infected devices. SmokeLoader is commonly distributed through websites pushing fake software cracks, game modifications, cheats, and key generators.

Over the past few days, SmokeLoader has begun delivering the new 'Azov Ransomware,' along with other malware [VirusTotal], such as the RedLine Stealer information-stealing malware and the STOP ransomware.

BleepingComputer is aware of victims being double-encrypted, first with Azov and then with STOP ransomware, as SmokeLoader delivered both simultaneously.

The initial ransomware executable [VirusTotal] will be dropped under a random file in the Windows temp (%Temp%) folder and executed.

Once launched, the wiper will copy C:\Windows\System32\msiexec.exe to C:\ProgramData\rdpclient.exe [VirusTotal] and patch it to also contain the Azov wiper. Additionally, the wiper may be configured to launch when Windows starts using the following Registry key.

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"Bandera" = "C:\ProgramData\rdpclient.exe"

The wiper will now scan all the drives on the computer and encrypt any file that does not have the .ini, .dll, and .exe extensions.

When encrypting files, it will append the .azov file extension to the names of encrypted files. For example, 1.doc is encrypted and renamed to 1.doc.azov, as shown below.

Files encrypted by the 'Azov Ransomware' data wiper - Source: BleepingComputer

 

In each folder that is scanned for files, the wiper will create text files named RESTORE_FILES.txt that contain a message from the threat actor, as shown previously in the article.

A previous version of the wiper found by MalwareHunterTeam used a different ransom note with a much darker message.

Message from an older version of the Azov data wiper - Source: BleepingComputer

 

While the ransomware will be analyzed by researchers for weaknesses in the encryption, at this time, the ransomware should be considered destructive, as there is no way to contact the threat actors and recover decryption keys.

We will update this article if a method is discovered to recover files for free.

However, if this data wiper encrypted your data, you were likely also infected with other malware, such as information-stealing trojans.

Therefore, you should immediately change the passwords on your online accounts, especially those sensitive in nature, such as online banking, password managers, and email accounts.

The targeted entities are media groups, diplomatic agencies, government and public sector organizations, and think tanks in Japan, all high-interest targets for cyberespionage.

According to Kaspersky, whose analysts have been following APT10's operations in Japan since 2019, the threat actors are constantly evolving their infection tactics and their custom backdoor, 'LODEINFO,' to make detections a lot harder.

The cybersecurity company has published two reports, one illustrating new APT10's infection chain techniques and a second focusing on the evolution of LODEINFO.

Abusing security software

Starting in March 2022, Kaspersky noticed that the APT10 attacks in Japan used a new infection vector, including a spear-phishing email, a self-extracting (SFX) RAR file, and abusing a DLL side-loading flaw in security software.

The RAR archive contains the legitimate K7Security Suite software executable, NRTOLD.exe, and a malicious DLL named K7SysMn1.dll. When NRTOLD.exe is executed, it will attempt to load the legitimate K7SysMn1.dll file that is normally included in the software suite.. 

However, the executable does not look for the DLL in a specific folder and thus allows malware developers to create a malicious DLL using the same name as K7SysMn1.dll. 

If the malicious DLL is stored in the same folder as the legitimate executables, when launched, the executable will now load the malicious DLL, which contains the LODEINFO malware. 

As the malware is side-loaded using a legitimate security application, other security software may not detect it as malicious.

"K7SysMn1.dll contains a BLOB with an obfuscated routine not observed in past activities," explains Kaspersky in the report.

"The embedded BLOB is divided into four-byte chunks, and each part is stored in one of the 50 randomly named export functions of the DLL binary."

"These export functions reconstruct the BLOB in an allocated buffer and then decode the LODEINFO shellcode using a one-byte XOR key."

While the archive extracts in the background and initiates the infection process, the victim sees a decoy document in the foreground to minimize the chances of realizing the compromise.

In June 2022, Kaspersky noticed another variant in the APT10 infection chain, using file-less downloader shellcode delivered via a password-protected Microsoft Office document carrying malicious VBA code.

This time, instead of DLL side-loading, the hackers relied on the macro code to inject and load the shellcode (DOWNISSA) directly into the memory of the WINWORD.exe process.

New LODEINFO

The malware authors released six new versions of LODEINFO in 2022, the latest being v0.6.7, released in September 2022.

At the end of 2021, with the release of LODEINFO v0.5.6, APT10 added multiple C2 communication encryption layers using the Vigenere cipher key in combination with randomly generated junk data.

Additionally, LODEINFO v0.5.6  used XOR obfuscation for the 21 commands supported by the backdoor, while in version 0.5.9, a new hash calculation algorithm for API function names was introduced.

Support for 64-bit platforms was added in version 0.6.2, essentially broadening the targeting scope of the malware. That version also introduced an exemption for machines using the "en_US" locale to avoid unwanted infections.

In LOADEINFO v0.6.3, released in June 2022, the malware authors removed ten unnecessary commands, possibly to make the backdoor leaner and more efficient.

The commands that remain in current versions are:

• Show embedded backdoor command list
• Download a file from C2
• Upload a file to C2
• Inject the shellcode into memory
• Kill a process using a process ID
• Change directory
• Send malware and system information
• Take a screenshot
• Encrypt files by a generated AES key
• Execute a command using WM I
• Config (incomplete implementation)

APT10's Japan-targeting operations are characterized by constant evolution, expansion of targeted platforms, better evasion, and stealthy infection chains.

Kaspersky says LODEINFO v0.6.6 and v0.6.7, which weren't analyzed in this report, are already distributed via new TTPs, so the threat is constantly changing form, making it very hard for analysts and defenders to keep up.

Other recently uncovered operations linked to APT10 include a campaign targeting Middle Eastern and African governments using steganography and another abusing VLC to launch custom backdoors.

The agency's proposed order would require Chegg to shore up data security, implement multifactor authentication (MFA) to help users secure their accounts, limit collected and stored customer data, and allow customers to access and delete their data.

"Chegg took shortcuts with millions of students' sensitive information," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection, on Monday.

"Today's order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data."

Four breaches within three years

According to FTC's complaint, Chegg was first breached in September 2017 following a phishing attack that targeted multiple employees.

In April 2018, a former contractor used login information to gain access to Chegg Amazon S3 buckets containing the data of millions of users. The data was later found for sale online, together with roughly 25 million passwords in plaintext, which forced the company to reset the passwords of 40 million users.

One year later, after a Chegg executive's credentials were stolen in a phishing attack, a threat actor gained access to the executive email inbox and the personal info (including financial and medical information) of users and employees.

After another 12 months, another Chegg employee fell victim to phishing, allowing the attackers to access the payroll system and steal hundreds of employees' W-2 information (e.g., birth date, Social Security numbers).

Poor data security practices

The FTC complaint alleges that these four data breaches were the result of several poor data security practices, including Chegg failure to implement basic security measures such as the lack of MFA support, the use of a single login for all compromised databases, and not monitoring for malicious activity).

Chegg is also accused of storing the employees' and customers' sensitive information insecurely and failing to provide its employees and contractors with phishing awareness training.

"As a result of these failures, some of the data about Chegg's 40 million customers stolen by its former contractor was later found for sale online," the FTC said.

"Chegg's failure to protect its employees' medical and financial data was particularly problematic since this information is valuable on the open market and is used to commit identity theft and fraud."

Update October 31, 15:49 EDT: A Chegg spokesperson shared the following update after the article was published:

Data privacy is a top priority for Chegg. Chegg worked cooperatively with the Federal Trade Commission on these matters to find a mutually agreeable outcome and will comply fully with the mandates outlined in the Commission’s Administrative Order. The incidents in the Federal Trade Commission’s complaint related to issues that occurred more than two years ago. No monetary fines were assessed. We believe our positive negotiations with the FTC are indicative of our current robust security practices, as well as our efforts to continuously improve our security program. Chegg is wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts.

Source

This guidance was developed through the Enduring Security Framework (ESF), a public-private partnership working to address threats to U.S. national security systems and critical infrastructure.

"Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code, verify third party components, and harden the build environment. But the supplier also holds a critical responsibility in ensuring the security and integrity of our software," the NSA said on Monday.

"After all, the software vendor is responsible for liaising between the customer and software developer. It is through this relationship that additional security features can be applied via contractual agreements, software releases and updates, notifications and mitigations of vulnerabilities."

The ESF will release one more advisory focused on the customer (acquiring organizations) part of the software supply chain lifecycle after issuing the first chapter in September with guidance for software developers.

You can find the complete guide of recommended practices for suppliers, including security requirements planning and maintaining software security, in today's advisory [PDF].

This guidance was released following multiple recent high-profile cyber attacks, including the SolarWinds hack, which have highlighted software supply chain weaknesses that state-backed threat actors can easily exploit.

The danger behind supply-chain attacks has been made evident in real-world attacks multiple times since Russian threat actors compromised SolarWinds to infect downstream customers, including by Kaseya's MSP software which was used to encrypt thousands of companies worldwide, and by how threat actors have used compromised npm modules to execute commands remotely.

After the SolarWinds supply-chain attack led to the compromise of multiple U.S. govt agencies, President Biden signed an executive order in May 2021 to modernize U.S defenses against future cyberattacks.

A new Federal strategy was released by the White House in January 2022, pushing the U.S. government to adopt a "zero trust" security model.

This move was prompted by Biden's executive order and by both the NSA and Microsoft recommending this approach in February 2021 for critical networks (National Security Systems, Department of Defense, Defense Industrial Base) and large enterprises.

The White House's announcement was followed in May by the U.S. National Institute of Standards and Technology (NIST) releasing updated guidance on how enterprises can defend against supply-chain attacks.

More evidence that the software supply chain is a popular and constant target came from a Microsoft report published in October 2021.

The company revealed that the Russian-backed Nobelium hacking group kept targeting the global I.T. supply after breaching SolarWinds, hacking at least 14 managed service providers (MSPs) and cloud service providers after attacking 140 since May 2021.

Source

The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings.

Although the number of sales for network access remained about the same as in the previous two quarters, the cumulative requested price has now reached $4,000,000.

For comparison, the total value of initial access listings in Q2 2022 was $660,000, recording a drop in value that coincided with the summer ransomware hiatus that hurt demand.

The road to ransomware

Initial access brokers (IABs) are hackers who sell access to corporate networks, usually achieved through credential theft, webshells, or exploiting vulnerabilities in publicly exposed hardware.

After establishing a foothold on the network, the threat actors sell this corporate access to other hackers who use it to steal valuable data, deploy ransomware, or conduct other malicious activity.

The reasons IABs choose not to leverage network access vary, ranging from lacking diverse intrusion skills to preferring not to risk increased legal trouble.

IABs still play a crucial role in the ransomware infection chain, even if they got sidelined last year when big ransomware gangs that operated as crime syndicates operated their own IAB departments.

Q3 '22 numbers

In the third quarter of 2022, KELA's analysts observed 110 threat actors posting 576 initial access offerings totaling a cumulative value of $4,000,000.

Monthly volume of initial access sales (KELA)

 

The average selling price of these listings was $2,800, while the median selling price reached a record figure of $1,350.

Initial access sales prices (KELA)

 

KELA also saw a case of a single access being offered for purchase at the astronomical price of $3,000,000. However, this listing was not included in the Q3 '22 stats and totals due to doubts about its authenticity.

The top three IABs operated a large-scale business, offering between 40 and 100 accesses for sale in Q3 2022.

Based on hacking forum discussions and marketplace listing removal events, the average time to sell corporate access was just 1.6 days, while most were of RDP and VPN types.

This quarter's most targeted country was the United States, accounting for 30.4% of all IAB offerings. This stat is close to the 39.1% share of ransomware attacks in Q3 targeting U.S. companies.

Most targeted countries by IABs in Q3 (KELA)

 

When looking at the targeted sectors, professional services, manufacturing, and technology topped the list with 13.4%, 10.8%, and 9.4%, respectively. Again, ransomware attacks feature a similar ranking,  emphasizing the connection between the two.

 

As initial access brokers have become an integral part of the ransomware attack chain, properly securing your network from intrusion is crucial.

This includes placing remote access servers behind VPNs, restricting access to publicly exposed devices, enabling MFA, and conducting phishing training to prevent the theft of corporate credentials.

Why the App Store’s tone-deaf gambling ads make me worry about Apple

The second International Counter Ransomware Summit will focus on priorities such as ensuring systems are more resilient to better withstand attacks and disrupt bad actors planning such assaults.

A senior Biden administration official cited recent attacks such as one that targeted the Los Angeles school district last month to underscore the urgency of the issue and the summit. The official previewed the event on the condition of anonymity.

Among the administration officials planning to participate in the event are FBI Director Christopher Wray, national security adviser Jake Sullivan, Deputy Treasury Secretary Wally Adeyemo and Deputy Secretary of State Wendy Sherman. President Joe Biden is not expected to attend.

Participating countries are Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Croatia, the Czech Republic, the Dominican Republic, Estonia, the European Commission, France, Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Norway, Poland, the Republic of Korea, Romania, Singapore, South Africa, Spain, Sweden, Switzerland, Ukraine, the United Arab Emirates, the United Kingdom and the United States.

Companies that will take part include Crowdstrike, Mandiant, Cyber Threat Alliance, Microsoft, Cybersecurity Coalition, Palo Alto, Flexxon, SAP, the Institute for Security + Technology, Siemens, Internet 2.0, Tata—TCS and Telefónica.

The previous summit took place virtually.

Source

The RepoJacking technique, disclosed by Checkmarx, entails a bypass of a protection mechanism called popular repository namespace retirement, which aims to prevent developers from pulling unsafe repositories with the same name.

The issue was addressed by the Microsoft-owned subsidiary on September 19, 2022 following responsible disclosure.

RepoJacking occurs when a creator of a repository opts to change the username, potentially enabling a threat actor to claim the old username and publish a rogue repository with the same name in an attempt to trick users into downloading them.

While Microsoft's countermeasure "retire[s] the namespace of any open source project that had more than 100 clones in the week leading up to the owner's account being renamed or deleted," Checkmarx found that this can be circumvented through the "repository transfer" feature.

The way this works is as follows -

• A threat actor creates a repository with the same name as the retired repository (say, "repo") owned by a user named "victim" but under a different username (say, "helper")

• "helper" transfers ownership of "repo" to a second account with username "attacker"

• "attacker" renames the account's username to "victim"

• The namespace "victim/repo" is now under the adversary's control

In other words, the attack hinges on the quirk that GitHub only considers as retired the namespace, i.e., the combination of username and repository name, permitting a bad actor to reuse the repository name in conjunction with an arbitrary username.

Source

The records of around 200,000 Finland-based LinkedIn users have been leaked on a hacking forum, according to Finnish security firm F-Secure, advising its customers to be vigilant.

However, LinkedIn has vehemently denied that any private member data had been leaked, according to a report by cybernews.com (siirryt toiseen palveluun) on Friday.

F-Secure issued the warning via Twitter on Thursday.

"Over 200k records of Finnish LinkedIn users has (sic) been leaked on a hacking forum. The data contains names, phone numbers, email addresses and more," F-Secure's tweet read.

"We've alerted our customers. The data could be used in spear phishing campaigns, so stay vigilant!" the firm's tweet continued.

Spear phishing is a technique used by cybercriminals to access a person's stolen personal data like email addresses, names and phone numbers in order to falsely use their identity, often for monetary gain.

It remains unclear whether the data of Finland-based LinkedIn users is at risk.

More broadly, cybernews pointed to its earlier reporting (siirryt toiseen palveluun) that said an archive containing data "purportedly scraped from 500 million LinkedIn profiles has been put up for sale on a popular hacker forum," while two million other records were leaked as "a proof-of-concept sample by the post author."

Web scraping, or web data extraction, is the automated collection of data from different websites, and is often sold to others.

Source

Last weekend, BleepingComputer reported that threat actors were using stand-alone JavaScript files to install the Magniber ransomware on victims' devices.

When a user downloads a file from the Internet, Microsoft adds a Mark-of-the-Web flag to the file, causing the operating system to display security warnings when the file is launched, as shown below.

What made these Magniber JavaScript files stand out was that even though they contained a Mark-of-a-Web, Windows did not display any security warnings when they were launched.

After being analyzed by Will Dormann, a senior vulnerability analyst at ANALYGENCE, he discovered that the JavaScript files were digitally signed using a malformed signature.

When a malicious file with one of these malformed signatures is opened, instead of being flagged by Microsoft SmartScreen and showing a security warning, Windows would automatically allow the program to run.

The image below demonstrates how the vulnerability allows a file ('calc-othersig.js') with a malformed signature to bypass the Mark-of-the-Web security warning.

Microsoft told BleepingComputer that they were aware of the issue and investigating it.

Free unofficial patch released

As this zero-day vulnerability is actively exploited in ransomware attacks, the 0patch micro-patching service decided to release an unofficial fix that can be used until Microsoft releases an official security update.

In a 0patch blog post, co-founder Mitja Kolsek explains that this bug is caused by Windows SmartScreen's inability to parse the malformed signature in a file.

When SmartScreen can't parse the signature, Windows will incorrectly allow the program to run rather than displaying an error.

"The malformed signature discovered by Patrick and Will caused SmartScreen.exe to throw an exception when the signature could not be parsed, resulting in SmartScreen returning an error," explains Kolsek.

"Which we now know means "Run"."

Kolsek warned that though their patch fixes the majority of attack scenarios, there could also be situations that bypass his patch.

"While our patch fixes the most obvious flaw, its utility depends on the application opening the file using function DoSafeOpenPromptForShellExe in shdocvw.dll and not some other mechanism," warns Kolsek.

"We're not aware of another such mechanism in Windows, but it could technically exist."

Until Microsoft releases official updates to address the flaw, 0patch has developed free patches for the following affected Windows versions:

1. Windows 11 v21H2
2. Windows 10 v21H2
3. Windows 10 v21H1
4. Windows 10 v20H2
5. Windows 10 v2004
6. Windows 10 v1909
7. Windows 10 v1903
8. Windows 10 v1809
9. Windows 10 v1803
10. Windows Server 2022
11. Windows Server 2019 

To install the micropatch on your Windows device, you will need to register a free 0patch account and install its agent.

Once the agent is installed, the patches will be applied automatically without requiring a system restart if there are no custom patching policies to block it.

You can see 0patch's Windows micropatches in action in the video below.

How to download a backup copy of your Twitter data (or deactivate your account)

Of particular interest is Microsoft's reporting that the Raspberry Robin worm is providing access to corporate networks for the Clop ransomware gang.

Other research includes TommyLeaks and SchoolBoys extortion gangs being actually the same group, with TommyLeaks focusing on pure data extortion and SchoolBoys deploying ransomware.

Finally, Microsoft disclosed that Vice Society uses multiple ransomware families in attacks, including BlackCat, Quantum, Zeppelin, and a Vice Society-branded variant of Zeppelin ransomware. Additionally, BleepingComputer is also aware of the group using the HelloKitty ransomware in attacks.

We also learned more information about new and existing ransomware attacks, such as an alleged 60 million LockBit ransomware demand on Pendragon, Hive claiming the attack on Tata Power, Medibank warning that the hackers accessed all customers' personal data, a ransomware attack on the Indianapolis Housing Agency, and Australian Clinical Labs disclosing that patient data was stolen.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @BleepinComputer, @struppigel, @malwrhunterteam, @serghei, @fwosar, @Ionut_Ilascu, @DanielGallagher, @VK_Intel, @jorntvdw, @demonslay335, @billtoulas, @FourOctets, @Seifreed, @PolarToffee, @malwareforme, @AlvieriD, @_CERT_UA, @Jeremy_Kirk, @MsftSecIntel, @pcrisk, @TrendMicro, @DragosInc, and @BrettCallow.

October 22nd 2022

TommyLeaks and SchoolBoys: Two sides of the same ransomware gang

Two new extortion gangs named 'TommyLeaks' and 'SchoolBoys' are targeting companies worldwide. However, there is a catch — they are both the same ransomware gang.

October 24th 2022

Cuba ransomware affiliate targets Ukrainian govt agencies

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert about potential Cuba Ransomware attacks against critical networks in the country.

Pendragon car dealer refuses $60 million LockBit ransomware demand

Pendragon Group, with more than 200 car dealerships in the U.K., was breached in a cyberattack from the LockBit ransomware gang, who allegedly demanded $60 million to decrypt files and not leak them.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .nuis and .nury extensions.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .eking extension.

New KillNet ransomware

PCrisk found a new KillNet ransomware that appears to be tied to pro-Russia hacking group. When encrypting files it will append the .killnet and drops a ransom note named Ru.txt.

October 25th 2022

Hive claims ransomware attack on Tata Power, begins leaking data

Hive ransomware group has claimed responsibility for a cyber attack disclosed by Tata Power this month.

Microsoft: Vice Society targets schools with multiple ransomware families

A threat group known as Vice Society has been switching ransomware payloads in attacks targeting the education sector across the United States and worldwide.

LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company

Similarly, the initial access portion of this attack began on the exchange servers in the targeted environment, when a web shell file was dropped in the public access folders in early September 2022 via ProxyShell exploitation.

New Zeppelin ransomware variant

PCrisk found a new Zeppelin ransomware variant called 'Buybackdate' that appends the .bbd2.[victim's_ID] extension and drops a ransom note named ALL YOUR FILES ARE ENCRYPTED.txt.

October 26th 2022

Medibank now says hackers accessed all its customers’ personal data

Australian insurance firm Medibank has confirmed that hackers accessed all of its customers' personal data and a large amount of health claims data during a recent ransomware attack.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant called 'CRYPTONITE' that appends a random extension and drops a ransom note named lisezmoi.txt.

New Makop ransomware variant

PCrisk found a new Makop ransomware variant that appends the .INT extension and drops a ransom note named +README-WARNING+.txt.

Dragos Industrial Ransomware Analysis: Q3 2022

Dragos is aware of multiple new ransomware groups targeting industrial entities during Q3, like SPARTA BLOG, BIANLIAN, Donuts, ONYX, and YANLUOWANG. Until now, Dragos cannot confirm if these groups are reformed from other dissolved ransomware groups, such as Conti, who shut down their operation last quarter.

Indianapolis Housing Agency responds to massive system-wide ransomware attack

The Indianapolis Housing Agency, the federal agency responsible for providing housing to low-income tenants in the city, has been battling a cyber-attack for the past three weeks that's compromised their entire information technology system.

October 27th 2022

Australian Clinical Labs says patient data stolen in ransomware attack

Australian Clinical Labs (ACL) has disclosed a February 2022 data breach that impacted its Medlab Pathology business, exposing the medical records and other sensitive information of 223,000 people.

Microsoft links Raspberry Robin worm to Clop ransomware attacks

Microsoft says a threat group tracked as DEV-0950 used Clop ransomware to encrypt the network of a victim previously infected with the Raspberry Robin worm.

New Zeppelin ransomware variant

PCrisk found a new Zeppelin ransomware variant called 'Venolock' that appends the .vn2.1.[victim's_ID] extension and drops a ransom note named ALL YOUR FILES ARE ENCRYPTED.txt.

October 28th 2022

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .powd and .pozq extensions.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - October 28th 2022 - Healthcare leaks

VMware patches vulnerability with 9.8/10 severity rating in Cloud Foundation

DEV-0950 malicious activity overlaps with financially motivated cybercrime groups tracked as FIN11 and TA505, known for deploying Clop payloads ransomware on targets' systems.

Besides ransomware, Raspberry Robin has also been used to drop other second-stage payloads onto compromised devices, including IcedID, Bumblebee, and Truebot.

"Beginning on September 19, 2022, Microsoft identified Raspberry Robin worm infections deploying IcedID and—later at other victims—Bumblebee and TrueBot payloads," Microsoft Security Threat Intelligence analysts said.

"In October 2022, Microsoft researchers observed Raspberry Robin infections followed by Cobalt Strike activity from DEV-0950. This activity, which in some cases included a Truebot infection, eventually deployed the Clop ransomware."

This hints at Raspberry Robin's operators selling initial access to compromised enterprise systems to ransomware gangs and affiliates who now have an additional way to get into their targets' networks besides phishing emails and malicious ads.

In late July, Microsoft also said it detected Evil Corp pre-ransomware behavior on networks where an access broker tracked as DEV-0206 dropped the FakeUpdates (aka SocGholish) backdoor on Raspberry Robin-infected devices.

Nearly 1,000 orgs compromised within 30 days 

Spotted in September 2021 by Red Canary intelligence analysts, Raspberry Robin spreads to other devices via infected USB devices containing a malicious .LNK file.

After the USB device is attached and the user clicks the link, the worm will spawn a msiexec process using cmd.exe to launch a second malicious file stored on the infected drive.

On compromised Windows devices, it communicates with its command and control servers (C2). It also delivers and executes additional payloads after bypassing User Account Control (UAC) on infected systems using several legitimate Windows utilities (fodhelper, msiexec, and odbcconf).

Microsoft said in early July that it detected Raspberry Robin malware infection on the networks of hundreds of organizations from a wide range of industry sectors.

Today, the company revealed that the worm has spread to systems belonging to nearly 1,000 organizations within the past month.

"Microsoft Defender for Endpoint data indicates that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days," Microsoft added.

Source

Malware droppers are a challenging category of apps to stop because they do not contain malicious code themselves and thus can more easily pass Google Play reviews when submitted to the store.

At the same time, they do not raise suspicion among the users as they provide the advertised functionality, and malicious behavior is conducted behind the scenes.

Researchers at Threat Fabric, who discovered the new set of droppers, report a rise in the use of droppers for Android malware distribution precisely because they can offer a stealthy pathway to infecting devices.

This is particularly important considering the ever-increasing restrictions and safeguards introduced with each major Android release, preventing malware from abusing permissions, fetching malicious modules from external resources, or using the Accessibility service to perform unlimited actions on the device.

The SharkBot campaign

The first dropper campaign spotted by Threat Fabric at the beginning of October 2022 pushes the banking trojan known as SharkBot.

SharkBot is an Android malware that can steal credentials through fake login prompts overlayed on legitimate website login forms, perform keylogging, steal and hide SMS messages, and take remote control over a mobile device.

The researchers discovered two harmless-looking dropper apps, 'Codice Fiscale 2022' and 'File Manager Small, Lite,' that are used to install SharkBot on victims' mobile devices.

The first app, 'Codice Fiscale 2022,' is disguised as a tool to calculate tax payments in Italy and has been downloaded 10,000 times.

When a user installs the malicious dropper app, it will eventually prompt them to install a fake update, which installs the SharkBot malware on their device.

To install additional Android packages from a remote server, Google requires apps to request the 'REQUEST_INSTALL_PACKAGES.' However, newer versions of Android warn about the dangers of this permission, making it harder to convince users to install the 'update.'

The dropper instead opens a webpage made to appear like Google Play, tricking the user into tapping the "Update" button from the browser and thus bypassing the need for this permission.

The SharkBot version it drops targets Italian banks using fake login overlays, SMS interception for 2FA codes, keylogging, and a cookie stealer.

The File Manager dropper app delivers a more broadly-targeting SharkBot, configured to load overlays for banks in Italy, the UK, Germany, Spain, Poland, Austria, Australia, and the United States.

Vultur campaign

Another campaign using dropper apps delivers the Vultur malware, also a banking trojan operated by a threat actor known as the "Brunhilda Project."

Vultur can perform on-device fraud by offering its operators remote screen streaming and keylogging for social media and messaging apps.

The new variant distributed in the latest campaign also features a previously unseen system of UI logging, recording clicks, gestures, and all actions taken by the victim on the device.

Threat Fabric believes the malware developers added this feature to bypass the security flag restriction on Android, which prevents the content of certain app windows from appearing on screenshots or screencasts.

The droppers distributing Vultur are the following:

• ‘Recover Audio, Images & Videos’ – 100,000 downloads
• ‘Zetter Authentication’ – 10,000 downloads
• ‘My Finances Tracker’ – 1,000 downloads

Like the SharkBot droppers, these droppers also display a request to install a fake update, this time disguised as a Google Play notice. If the user allows the update to install, it will download and install the Vultur malware.

To evade detection when submitted to the Play Store, the installation logic isn’t contained in the dropper apps but instead loaded dynamically by an additional dex file sent by the attacker's command and control servers.

Moreover, the droppers use AES encryption to obfuscate their strings, to hide all functions from automated scanners.

Droppers gonna drop

The use of droppers has become a reliable method for malware installs to bypass scanners and fraud detection mechanisms; hence their deployment rate is expected to grow further.

"Distribution through droppers on Google Play still remains the most "affordable" and scalable way of reaching victims for most of the actors of different level," warns Threat Fabric.

"While sophisticated tactics like telephone-oriented attack delivery require more resources and are hard to scale, droppers on official and third-party stores allow threat actors to reach wide unsuspecting audience with reasonable efforts."

The only downside to droppers is the need to involve the victim in at least one manual action, as they must manually agree to the installation of the payloads, which is their most vulnerable moment.

However, using convincing websites and interfaces will likely continue to allow malware to be installed in this way.

Due to this, it is always important to never allow updates from remote sources if possible and to analyze URLs to confirm you are installing apps from the official Google Play Store rather than a third-party site.

Source